From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.0 required=3.0 tests=MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 90738C2BB55 for ; Thu, 9 Apr 2020 21:45:45 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 507892072F for ; Thu, 9 Apr 2020 21:45:45 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 507892072F Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 113AC8E001C; Thu, 9 Apr 2020 17:45:41 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 025AD8E0003; Thu, 9 Apr 2020 17:45:40 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E513D8E001C; Thu, 9 Apr 2020 17:45:40 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0118.hostedemail.com [216.40.44.118]) by kanga.kvack.org (Postfix) with ESMTP id C567F8E0003 for ; Thu, 9 Apr 2020 17:45:40 -0400 (EDT) Received: from smtpin25.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id 91625181AEF30 for ; Thu, 9 Apr 2020 21:45:40 +0000 (UTC) X-FDA: 76689648840.25.cart84_6bb818a88ea22 X-HE-Tag: cart84_6bb818a88ea22 X-Filterd-Recvd-Size: 6065 Received: from mail-pg1-f196.google.com (mail-pg1-f196.google.com [209.85.215.196]) by imf29.hostedemail.com (Postfix) with ESMTP for ; Thu, 9 Apr 2020 21:45:40 +0000 (UTC) Received: by mail-pg1-f196.google.com with SMTP id c5so98249pgi.7 for ; Thu, 09 Apr 2020 14:45:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=gy1UfSr56zzS49pk3P0leehV/LFyixVBPxU1Vl/ddsw=; b=mVJTRKWhuv6d4rSYwx8fDP/N1LELGq/bDIyg0TxIOkS2P7cUaULAv/aupTMuhuYPwI CE98Bq9wXr/DCiEb0a0nwDNZquRHJ6Rof2eRrqcSsPN5PxR51QMBV7KUn6CLHdJ2gOIn sXbkQ+UWTssRGm/omd10PhMPyoonXEWdqAACy6oGjbw0zmeo/Elp56Bd+A8sCy74b8bP zUU4pzxfG2IVmZkwG+5qNmFNRgbcCqerPwp7hO0v8rtVvYy+0ggb9HU2oIL/zSUxD5sv i1b+vIVuPShbwmTSNEYP6FMCa3EfMT+XcyDQzCx7lp+dPrNvNB2e/I6r0mojP2NIMTrg mHBg== X-Gm-Message-State: AGi0PuYgDmuEO4EYP7U/cJIOe5eFpmN5d7n9JeXsWyQqEVFhmnkSpKjw zEiVd7FnjVEzSUaspxhAczk= X-Google-Smtp-Source: APiQypIRu35uCdJrL/5JzRDGZkG7eCJZdWSQQYH/I+boGDvDxSG5cHBQsRqIpIeV686q3aFn7ST2rg== X-Received: by 2002:aa7:8bda:: with SMTP id s26mr1667719pfd.142.1586468739160; Thu, 09 Apr 2020 14:45:39 -0700 (PDT) Received: from 42.do-not-panic.com (42.do-not-panic.com. [157.230.128.187]) by smtp.gmail.com with ESMTPSA id c15sm67565pgk.66.2020.04.09.14.45.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Apr 2020 14:45:37 -0700 (PDT) Received: by 42.do-not-panic.com (Postfix, from userid 1000) id 1753940246; Thu, 9 Apr 2020 21:45:32 +0000 (UTC) From: Luis Chamberlain To: axboe@kernel.dk, viro@zeniv.linux.org.uk, gregkh@linuxfoundation.org, rostedt@goodmis.org, mingo@redhat.com, jack@suse.cz, ming.lei@redhat.com, nstange@suse.de, akpm@linux-foundation.org Cc: mhocko@suse.com, yukuai3@huawei.com, linux-block@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Luis Chamberlain Subject: [RFC v2 0/5] blktrace: fix use after free Date: Thu, 9 Apr 2020 21:45:25 +0000 Message-Id: <20200409214530.2413-1-mcgrof@kernel.org> X-Mailer: git-send-email 2.23.0.rc1 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: This series fixes a use after free on block trace. This v2 adjusts the commit log feedback from the first iteration, and also expands on the series to include a few additional fixes which would be needed for us to continue with a synchronous request_queue removal. The refcount added for blktrace resolves the kobject issues pointed out by yukuai. Note that CONFIG_DEBUG_KOBJECT_RELEASE purposely was added to create situations where drivers misbehave, and so you should not use it to test expected userspace behaviour, but just to catch possible kernel issues. For details refer to the commit which introduced it, which actually helps a bit more than just reading the kconfig description, its commit was c817a67ecba7 ("kobject: delayed kobject release: help find buggy drivers"). This series also fixes a small build issue discovered by 0-day. The QUEUE_FLAG_DEFER_REMOVAL flag is added as part of the last patch, just in case for now. However, given creative use of refcounting I don't think we need it anymore. An example use case of creative use of refcounting is provided for mm/swapfile. I've extended break-blktrace [0] with 3 test cases which now pass for the most part: run_0001.sh run_0002.sh run_0003.sh The exception to this is when we get an EBUSY on loopback removal. This only happens every now and then, and upon further investigation, I suspect this is happening due to the same race Dave Chinner ran into with using loopback devices and fstests, which made explicit loopback destruction lazy via commit a1ecac3b0656 ("loop: Make explicit loop device destruction lazy"). Further eyeballs on this are appreciated, perhaps break-blktrace can be extended a bit to account for this. After a bit of brushing up, I am considering just upstreaming this as a self tests for blktrace, instead of keeping this out of tree. Worth noting as well was that it seems odd we didn't consider the userspace impact of commit dc9edc44de6c ("block: Fix a blk_exit_rl() regression") merged on v4.12 moved, as that deferral work sure did have an impact what userspace can expect upon device removal or races on addition/removal. Its not clear if mentioning any of this on the commit logs is worth it... Shouldn't have that deferral been a userspace regression? If you want this on a git tree you can find it on my 20200409-blktrace-fi= x-uaf branch on kernel.org based on linux-next next-20200409. Feedback, reviews, rants are all greatly appreciated. [0] https://github.com/mcgrof/break-blktrace [1] https://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/linux-next.git= /log/?h=3D20200409-blktrace-fix-uaf Luis Chamberlain (5): block: move main block debugfs initialization to its own file blktrace: fix debugfs use after free blktrace: ref count the request_queue during ioctl mm/swapfile: refcount block and queue before using blkcg_schedule_throttle() block: revert back to synchronous request_queue removal block/Makefile | 1 + block/blk-core.c | 9 +------- block/blk-debugfs.c | 27 ++++++++++++++++++++++ block/blk-mq-debugfs.c | 5 ----- block/blk-sysfs.c | 43 +++++++++++++++++++++++++++++------- block/blk.h | 17 ++++++++++++++ include/linux/blkdev.h | 7 +++++- include/linux/blktrace_api.h | 1 - kernel/trace/blktrace.c | 25 ++++++++++++--------- mm/swapfile.c | 11 +++++++++ 10 files changed, 112 insertions(+), 34 deletions(-) create mode 100644 block/blk-debugfs.c --=20 2.25.1